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1 The above-entitled matter came on for oral hearing on Wednesday, 

2 March 18, 2009, at The U.S. Patent and Trademark Office, 600 Dulany 

3 Street, Alexandria, Virginia, before Victor Lindsay, Notary Public. 
4 

5 MS. BOBO- ALLEN: Good morning. Calendar No. 22, Appeal No. 

6 2008-4795. Ms. Qian. 

7 MS. QIAN: May it please the court, my name is Chen Qian. I'm 

8 from Fish & Richardson. I represent America Online in this application, 

9 deep packet scanning. 

10 JUDGE BLANKENSHIP: Little bit - speak louder, please. 

11 MS. QIAN: Okay. Do I need to review - 

12 UNIDENTIFIED SPEAKER: You can go to the - 

13 MS. QIAN: Oh, okay. Should I repeat? Okay, sorry. 

14 My name is Chen Qian from Fish & Richardson. I represent America 

15 Online on the appeal case of deep packet scanning, this application. 

16 America Online, as you know, is a very big internet service provider 



17 and provides a lot of web services to many millions of users both nationally 

18 and internationally, and they have been doing this for a decade. Of course, 

19 they have lots of challenges while being such a big service provider. One of 

20 the challenges is they face a lot of attackers. Hackers in the internet 

21 community try to inundate servers so that server cannot operate normally in 

22 the normal — for normal users. 

23 So this is area problem and they did a lot of thinking and come up 

24 with a lot of solutions. One of them is the application today, deep packet 

25 scanning. So in the typical context, AOL will be access provider, which is a 
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1 server, we claim access provider in the claims, and a client if access 

2 request - request service from the server. So the problem we're trying to do 

3 is we want to prevent hackers from attacking the server. So one of the 

4 techniques is denial service technique. What they do is they pretend to be 

5 a -- user and they log in to the server consecutively so many times in very 

6 short duration, so server will be so overwhelmed accepting the hacker's 

7 request and then has no bandwidth to process normal users' requests. 

8 To protect the server from such attack, AOL come up with solution 

9 that we will introduce a network device sitting between the access requester 

10 and access provider. What this network device is doing is it will monitor 

1 1 and try to find attackers and deny them such service. So in detail what it 

12 does is in the beginning when access requester requests service, we don't 

13 know if it's attack or not so - we see access provider side. That access 

14 provider receives a request. Okay, this is not a legitimate user. I don't have 

15 a login password for this guy. Access provider make a decision, this is bad 

16 login and provide that feedback back to the access requester buying the — 

17 that request. 

18 So what my device is — the first function is watching traffic from the 

19 server, a person that contacts a network, the traffic unit's data packet. All 

20 these communications are data packets. Network service - network device 

21 is watching the data packets from access provider and look to see if there are 

22 any login failure messages. The way he does it is to go to — data packet 

23 usually has two portions. One is like - portion. The other one is the - 

24 portion. - portion is a contact — portion is maybe where you'll find where 

25 the IP address is, what time you send this packet, all those — 
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1 So -- thing about the network device is it goes deep packet scanning 

2 going to the - portion of the packet and check this three different pattern 

3 that matches a login failure message. So when you text that, okay, this is - 

4 these are now good. So I'm going to keep -- is this -- requested -- 

5 JUDGE LUCAS: Ms. Qian, Ms. Qian, I'm sorry to interrupt you 

6 but you have labeled that figure 1 , and is that figure 1 on the record in the 

7 record? 

8 MS. QIAN: Yes, it is. This shown in the pre-appeal brief - repeat 

9 appeal brief and the answers so - 

10 JUDGE DANG: Right, but it's not in your specification. It's 

1 1 basically -- it was in your arguments in the appeal brief and the brief, yes. 

12 MS. QIAN: Yeah, yes. 

13 JUDGE DANG: Yes, I understand. 

14 MS. QIAN: Yeah. 

15 JUDGE DANG: Oh, yeah, I mean basically we do understand the, the 

16 technology. If you want to go through the arguments, we can do that. 

17 MS. QIAN: Yeah, definitely, okay. So you know this - in between. 

18 Look at the -- count in the palo (phonetic sp.) portion -- count the number of 

19 attacks. When it's over it's - value of packets I counted as bad. I will deny 

20 subsequent requests from this guy. So that's monitor, deny, two action in 

21 this device. That's what we are claiming. 

22 So — has Examiner provide full references in combination to reject 

23 this application so - reference is a Cox reference. What Cox reference does, 

24 it does has -- provider and has intermediate network device. What it does is 

25 it's almost like a future, future any bad request from the access provider, 
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1 because it already has knowledge who might be bad. So what it does is it 

2 checks the data package from the access requester, find the IP address of that 

3 access requester, and if it, if it knows that this IP address is from attacker I 

4 will deny it. Because he has knowledge what kind of IP address is actually 

5 fake or from hackers. 

6 So all this guys does is look at data packets from access requester and 

7 look at the attribute portion and deny the known attackers. 

8 JUDGE DANG: But if you look at figure 1 of Cox, the arrows go 

9 both ways. The - it goes both ways and so why are - I mean, you know, 

10 you're, you're drawing your number two right there as an - just, just the data 

1 1 packet going one way. But according to the figure 1 of Cox, the data 

12 packets go both ways. 

13 MS. QIAN: The data packet in Cox is going both ways between the 



14 client and network device, but they never actually reach to the access 

15 provider. The two embodiment they had is once I know it's IP address. The 

16 other one is I make some request with access requester and they can 

17 acknowledge it. If there's nothing written acknowledge back, I know it's not 

18 actually someone who's waiting. It's just computer so I know. 



19 So in those two embodiments, even though it does do little back and 

20 forths, okay, request me and then if you don't acknowledge me, here, I will 

21 deny you again. So in those cases, everything is done at network device 

22 level, never actually pass — to the provider service. 

23 MR. ROZYLOWICZ: And to amplify one thing that she said, it never 

24 actually makes a decision of whether or not to block this guy based on the 

25 response from the access provider to the access requester as it's seen by the 
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1 network device. It never makes this blocking decision based on that traffic 

2 flow right there. 

3 MS. QIAN: — intelligence is Cox is - network service. They never 

4 actually receive -- access provider to do some login checking and then deny 

5 it and based on service decision to accumulate that knowledge. So network 

6 device is almost like a future - I don't even let him reach the server. 

7 JUDGE DANG: Okay. Another question I have is what in your 



8 claim, what — claim 1. What, what in your claim 1 said — would say that 

9 access requester is the I guess attacker of Cox in figure 1 and what would, 

10 what would be the access provider that - I mean you're reading the access 

1 1 provider as the corporate private network, right? But what in your claim 

12 particularly defines these terms? 



13 MS. QIAN: Well, it's common sense when you request — 

14 JUDGE DANG: All we have is, all we have is a label that says access 

15 requester and access provider. 

16 MS. QIAN: Right. 

17 JUDGE DANG: So you go there -- you go to Cox, and you say okay, 

18 I'm going to label it like this, and I'm going to have this figure 2, and I'm 

19 going to call this access requester, this access provider. I want to, I guess, 

20 hear your, your correlation between Cox and what you would label that. 

21 What, what in your claim would say that? 

22 MS. QIAN: Well, so it's kind of based on the language itself. Access 

23 requester is by common sense someone try to get service from a server. 
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1 JUDGE DANG: Yeah, is -- 1 mean I, I don't have a -- 1 don't see a 

2 step of accessing service. All you have is access requester. Accessing 

3 what? 

4 MS. QIAN: Accesses service. 

5 MR. ROZYLOWICZ: Ms. Qian, do you want to pull up the claim 1, 

6 reference that — it speak to what appears in the claim? 

7 JUDGE LUCAS: While we're waiting, Ms. Qian, would you 

8 introduce your associate? 

9 MS. QIAN: Excuse me? 

10 JUDGE LUCAS: Would you introduce your associate? 

11 MS. QIAN: Oh, Tom is my supervisor actually. Tom Rozylowicz. 

12 MR. ROZYLOWICZ: My name is Tom Rozylowicz, Your Honor. 

13 MS. QIAN: From also Fish & Richardson. 

14 Well, the, the claim language in claim 1 said message for securing 

15 accessible computer system. So the computer system is the one that's being 

16 accessed. The system — 

17 JUDGE DANG: That's in the preamble, right? 

18 MS. QIAN: It's in the preamble, yes, and the, the first - receiving 

19 more than one packet at network device, each packet including palo 

20 portion -- portion -- between these, one access requester and at least one 

21 access provider through the network device. 

22 So it's — you access computer system and the system is access 

23 provider and there is data packs going between. 

24 Second language, monitoring at the network device. At least the palo 

25 portion of the data packet directive at least from one of the access providers 



7 



Appeal 2008-4795 
Application 09/894,918 



1 to at least one of access requesters by scanning the palo portion for at least 

2 one predetermined patent and count the number of data packets having palo 

3 portions that include predetermined patent. So that kind of a direction of 

4 traffic is we're watching data packets directed from access provider back to 

5 the access requesters by scanning the palo portion and counting number of 

6 the packets have a patent. 

7 The third step, using the network device deny -- to denying 

8 communication with subsequent data packets from access requester to the 

9 access provider when number of palo portions that the data packets received 

10 from access provider to access requester are deemed to be include 

1 1 predetermined patent exceed -- number. 

12 So, so that just describes the network device — denying access from 

13 the access requester after it find that there's - certain number of data packets 

14 that from access provider that contains a bad patent. In fact, the, the 

15 Examiner's answer actually admitted that Cox doesn't teach the access - the 

16 traffic from access provider to the access — to the network device. 

17 JUDGE DANG: Okay, that's -- let's go on, let's go on to your other 

18 arguments. 

19 MS. QIAN: Okay. So just to, to see what deficiencies that Cox has. 

20 Cox has quite a few number of deficiencies. Number one it doesn't — this 

21 minor deficiencies like it doesn't show to deep packet scanning, only do the 

22 palo portion, and Examiner brings the Maher to cure that deficiency. The 

23 other one is Cox didn't really count number of bad packets from - and what 

24 the most significant we think, the whole structure, the whole flow is missing 

25 is Cox never look at traffic from access provider. It only - it did some 
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1 preemptive strike instead of doing anything based on the intelligence of the 

2 server. So to, to cure that deficiency, the Examiner brought Alcendor to 

3 cure this deficiency which really doesn't, doesn't help. We'll, we'll take a 

4 look at what Alcendor's pointing. 

5 So Alcendor is a telephone system. It's not -- telephone system that 

6 used to access - configure certain services and the, the patent is focused 

7 on -- authentication because they think use the ID password or PIN. It's so 

8 easy to intercept it by -- they don't trust -- they use telephone, use voice 

9 authentication. And what it does is this is speaker of the telephone. Calls to 

10 the service provider, say okay, I want configure my internet service. I want 

1 1 configure my TV service. For example, the, the - shows is like internet 

12 service I want control the violence level because I'm - my child will see 

13 violence content. Or it's a TV service. I want to see pay-per-view. I will 

14 configure those thing. 

15 So the, the authenticated parent calls the service, say okay, I want to 

16 change my minor's level of internet service, and the service provider has a 

17 sample of the parent's voice, so he can okay, you are, you are the real parent. 

18 Then I will let you configure our service, and if it's a child who is trying to 

19 pretend to be a parent and want to see some interesting things, so he calls 

20 and he will fail. 

21 So what happens when failed login happens? So when the child calls, 

22 say okay, I want to configure my internet service and as — no, you are not 

23 the right — you are not right subscriber. I will redirect you to the starter 

24 page. The start page is whether you want to configure TV service, whether 

25 you configure your internet service. 
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1 So the child going to try again. So okay, fine. I'm going to call again. 

2 I'm going to use a different voice. So this is a very old-fashioned way — 

3 some access provider or the server to say - to identify whether there is valid 

4 login and how the server decides whether it's valid or not, the decision is to 

5 redirect to a different page. 

6 So, so Cox and Alcendor even if they combine, we don't see any 

7 traffic coming from access provider back to the access provider, because the 

8 decision is consumed by an access provider itself and redirect start page - 

9 server flow. So number two, it never showed an adequate device, so — 

10 JUDGE DANG: But the rejection is based on four references, not just 

1 1 two references. 

12 MS. QIAN: Yes. 

13 JUDGE DANG: And the test for obviousness is what the 

14 combination of all the references will have - 

15 MS. QIAN: Right. 

16 JUDGE DANG: - just suggested. Now what about the other 

17 references? What about Maher for instance? 

18 MS. QIAN: Yeah - 

19 JUDGE DANG: Maher shows that you are looking at the payload of 

20 the - 

21 MS. QIAN: Exactly. 

22 JUDGE DANG: - of the provider on - 

23 MS. QIAN: No - 

24 JUDGE DANG: - or if you would label it, you would label it 

25 "provider." 
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1 MS. QIAN: No, no, actually Maher is looking at the access requester. 

2 Both Maher and the -- 

3 JUDGE DANG: Maher is looking at packets from the network which 

4 is I guess would be "provider." 

5 MS. QIAN: No, actually if you read it deeper the — from network is 

6 from the client. 

7 MR. ROZYLOWICZ: It's network packets from the client side. 

8 MS. QIAN: Yeah. 

9 MR. ROZYLOWICZ: To the access provider. 

10 MS. QIAN: Yeah, data packet can go either way so - 

1 1 JUDGE DANG: Exactly, and that's what I've been saying. Data 

12 packets could go either way. 

13 MS. QIAN: Right. 

14 JUDGE DANG: And so -- but this one says we scan -- 1 guess they're 

15 doing it for - traffic flow, and traffic flow would be coming from the 

16 network and, and you know, I guess it's providing data, it's providing data. 

17 Why wouldn't it be an access provider? I don't -- you know, I guess I'm 

18 still — 

19 MS. QIAN: Yeah, I guess you -- 

20 JUDGE DANG: I'm still not seeing that from your claim as in what is 

21 an access requester? What is an access provider? 

22 MS. QIAN: Yeah, I think probably we kind of think it's a system, 

23 computer system, so the provider mostly are service providers, and then 

24 when user are requesters, and most of the -- are kind of blocking traffic 
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1 from, from client, because only client can be evil. They can be hackers. 

2 Server usually don't — 

3 MR. ROZYLOWICZ: Your Honor, if I paraphrase your question, 

4 make sure I'm being responsive because I know we haven't been — I don't 

5 think we've been responsive to it today, and I think if I understand what 

6 you're getting at correctly is what is the language in the claim itself that 

7 allows us to, to construe claim 1 so that it, it looks like this architecture as 

8 opposed to the Cox and other architectures? How do we get the meaning 

9 because the, the language in the claim itself only speaks to data packets, not 

10 necessarily requests and responses to the requests and I think - 

1 1 JUDGE DANG: Right. I mean, basically what we — I'm seeing is 

12 receiving from one to another and monitoring it and then, and then denying, 

13 right? So there's no step of accessing or, or providing any services or 

14 anything like that. So I just need to -- a little clarification as to why one of 

15 ordinary skill in the art with access to all four of these references would say 

16 hey, that's not obvious. 

17 MR. ROZYLOWICZ: So there's two questions. There - 

18 (Buzzer sounds) 

19 MR. ROZYLOWICZ: Okay, is that 1 minute? Okay, so the first 

20 point is that I think we - for construction we simply attach a lot of meaning 

21 to the terms access requester, access provider. That's how we get the -- the 

22 other point as to why it's not obvious to compile these references, this 

23 reference right here, Alcendor, simply doesn't protect the server's system 

24 from having to respond to the excess number of requests. It simply doesn't 

25 protect it. Similarly, Cox there relies upon — simply operates differently, 
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1 because it relies on having an established blacklist of who the bad guys are. 

2 None of those are directed to a world in which you don't know who your 

3 good and bad guys are, and you have to make that decision in real time using 

4 a network device that - 

5 JUDGE DANG: Wait, wait. Cox doesn't say who's the bad guy? I 

6 thought Cox - that's what attacker is - a bad guy, right? 

7 MR. ROZYLOWICZ: Yes, Your Honor. 

8 MS. QIAN: Cox knows, Cox knows who the bad guy is but we don't 

9 know — 

10 JUDGE DANG: Right, right, so, so I'm, yeah, I'm, I'm hearing 

1 1 arguments that this one doesn't disclose this. This one doesn't disclose this. 

12 I just want to hear an explanation why all of them combined would not be 

13 obvious or, you know, would be - would not have suggested that to one of 

14 ordinary skill in the art. 

15 MS. QIAN: Your Honor, I would just say Maher and Eichstaedt and 

16 Cox Street (phonetic sp.) all look at the, the incoming traffic. The only one 

17 who actually did some login, that's why the print Alcendor and - we don't — 

18 even with Street we don't have that feature of looking at the server, so that's 

19 why we'll bring Alcendor. Alcendor is only because the server decide the 

20 login failure. They think that's kind of similar. But the only thing the server 

21 did decide login -- that message not returned to the network device to, to -- 

22 for determination of — for the log. So this one has never — Alcendor is 

23 never logged on the server side. So it's like the Street patent, three 

24 combinations still fail this — missing this feature and uses fourth one. The 

25 fourth one really didn't do the job. That's why - it's not — 
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1 JUDGE BLANKENSHIP: Would you like a minute to sum up? 

2 MS. QIAN: Sure. So in conclusion, we conclude that even with the 

3 four combinations, they still different from what the applicant has claimed. 

4 They're missing the significant feature of watching traffic on the server and 

5 to make a decision based on the server -- 

6 JUDGE BLANKENSHIP: All right, thank you. 

7 MS. QIAN: Thank you. 

8 MR. ROZYLOWICZ: Thank you, Your Honor. 

9 (Whereupon, the proceedings concluded on March 18, 2009.) 
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